Louis Marascio is an entrepreneur, market hacker, and trouble maker in Houston, TX.
3 stories

The Continuing Public/Private Surveillance Partnership


If you've been reading the news recently, you might think that corporate America is doing its best to thwart NSA surveillance.

Google just announced that it is encrypting Gmail when you access it from your computer or phone, and between data centers. Last week, Mark Zuckerberg personally called President Obama to complain about the NSA using Facebook as a means to hack computers, and Facebook's Chief Security Officer explained to reporters that the attack technique has not worked since last summer. Yahoo, Google, Microsoft, and others are now regularly publishing "transparency reports," listing approximately how many government data requests the companies have received and complied with.

On the government side, last week the NSA's General Counsel Rajesh De seemed to have thrown those companies under a bus by stating that -- despite their denials -- they knew all about the NSA's collection of data under both the PRISM program and some unnamed "upstream" collections on the communications links.

Yes, it may seem like the the public/private surveillance partnership has frayed -- but, unfortunately, it is alive and well. The main focus of massive Internet companies and government agencies both still largely align: to keep us all under constant surveillance. When they bicker, it's mostly role-playing designed to keep us blasé about what's really going on.

The U.S. intelligence community is still playing word games with us. The NSA collects our data based on four different legal authorities: the Foreign Intelligence Surveillance Act (FISA) of 1978, Executive Order 12333 of 1981 and modified in 2004 and 2008, Section 215 of the Patriot Act of 2001, and Section 702 of the FISA Amendments Act (FAA) of 2008. Be careful when someone from the intelligence community uses the caveat "not under this program" or "not under this authority"; almost certainly it means that whatever it is they're denying is done under some other program or authority. So when De said that companies knew about NSA collection under Section 702, it doesn't mean they knew about the other collection programs.

The big Internet companies know of PRISM -- although not under that code name -- because that's how the program works; the NSA serves them with FISA orders. Those same companies did not know about any of the other surveillance against their users conducted on the far more permissive EO 12333. Google and Yahoo did not know about MUSCULAR, the NSA's secret program to eavesdrop on their trunk connections between data centers. Facebook did not know about QUANTUMHAND, the NSA's secret program to attack Facebook users. And none of the target companies knew that the NSA was harvesting their users' address books and buddy lists.

These companies are certainly pissed that the publicity surrounding the NSA's actions is undermining their users' trust in their services, and they're losing money because of it. Cisco, IBM, cloud service providers, and others have announced that they're losing billions, mostly in foreign sales.

These companies are doing their best to convince users that their data is secure. But they're relying on their users not understanding what real security looks like. IBM's letter to its clients last week is an excellent example. The letter lists five "simple facts" that it hopes will mollify its customers, but the items are so qualified with caveats that they do the exact opposite to anyone who understands the full extent of NSA surveillance. And IBM's spending $1.2B on data centers outside the U.S. will only reassure customers who don't realize that National Security Letters require a company to turn over data, regardless of where in the world it is stored.

Google's recent actions, and similar actions of many Internet companies, will definitely improve its users' security against surreptitious government collection programs -- both the NSA's and other governments' -- but their assurances deliberately ignores the massive security vulnerability built into its services by design. Google, and by extension, the U.S. government, still has access to your communications on Google's servers.

Google could change that. It could encrypt your e-mail so only you could decrypt and read it. It could provide for secure voice and video so no one outside the conversations could eavesdrop.

It doesn't. And neither does Microsoft, Facebook, Yahoo, Apple, or any of the others.

Why not? They don't partly because they want to keep the ability to eavesdrop on your conversations. Surveillance is still the business model of the Internet, and every one of those companies wants access to your communications and your metadata. Your private thoughts and conversations are the product they sell to their customers. We also have learned that they read your e-mail for their own internal investigations.

But even if this were not true, even if -- for example -- Google were willing to forgo data mining your e-mail and video conversations in exchange for the marketing advantage it would give it over Microsoft, it still won't offer you real security. It can't.

The biggest Internet companies don't offer real security because the U.S. government won't permit it.

This isn't paranoia. We know that the U.S. government ordered the secure e-mail provider Lavabit to turn over its master keys and compromise every one of its users. We know that the U.S. government convinced Microsoft -- either through bribery, coercion, threat, or legal compulsion -- to make changes in how Skype operates, to make eavesdropping easier.

We don't know what sort of pressure the U.S. government has put on Google and the others. We don't know what secret agreements those companies have reached with the NSA. We do know the NSA's BULLRUN program to subvert Internet cryptography was successful against many common protocols. Did the NSA demand Google's keys, as it did with Lavabit? Did its Tailored Access Operations group break into to Google's servers and steal the keys?

We just don't know.

The best we have are caveat-laden pseudo-assurances. At SXSW earlier this month, CEO Eric Schmidt tried to reassure the audience by saying that he was "pretty sure that information within Google is now safe from any government's prying eyes." A more accurate statement might be, "Your data is safe from governments, except for the ways we don't know about and the ways we cannot tell you about. And, of course, we still have complete access to it all, and can sell it at will to whomever we want." That's a lousy marketing pitch, but as long as the NSA is allowed to operate using secret court orders based on secret interpretations of secret law, it'll never be any different.

Google, Facebook, Microsoft, and the others are already on the record as supporting these legislative changes. It would be better if they openly acknowledged their users' insecurity and increased their pressure on the government to change, rather than trying to fool their users and customers.

This essay previously appeared on TheAtlantic.com.

Read the whole story
3756 days ago
Houston, TX
Share this story

The Insecurity of Secret IT Systems

6 Comments and 20 Shares

We now know a lot about the security of the Rapiscan 522 B x-ray system used to scan carry-on baggage in airports worldwide. Billy Rios, director of threat intelligence at Qualys, got himself one and analyzed it. And he presented his results at the Kaspersky Security Analyst Summit this week.

It’s worse than you might have expected:

It runs on the outdated Windows 98 operating system, stores user credentials in plain text, and includes a feature called Threat Image Projection used to train screeners by injecting .bmp images of contraband, such as a gun or knife, into a passenger carry-on in order to test the screener's reaction during training sessions. The weak logins could allow a bad guy to project phony images on the X-ray display.

While this is all surprising, it shouldn’t be. These are the same sort of problems we saw in proprietary electronic voting machines, or computerized medical equipment, or computers in automobiles. Basically, whenever an IT system is designed and used in secret – either actual secret or simply away from public scrutiny – the results are pretty awful.

I used to decry secret security systems as "security by obscurity." I now say it more strongly: "obscurity means insecurity."

Security is a process. For software, that process is iterative. It involves defenders trying to build a secure system, attackers -- criminals, hackers, and researchers -- defeating the security, and defenders improving their system. This is how all mass-market software improves its security. It’s the best system we have. And for systems that are kept out of the hands of the public, that process stalls. The result looks like the Rapiscan 522 B x-ray system.

Smart security engineers open their systems to public scrutiny, because that’s how they improve. The truly awful engineers will not only hide their bad designs behind secrecy, but try to belittle any negative security results. Get ready for Rapiscan to claim that the researchers had old software, and the new software has fixed all these problems. Or that they’re only theoretical. Or that the researchers themselves are the problem. We’ve seen it all before.

Read the whole story
3802 days ago
Houston, TX
Share this story
6 public comments
3799 days ago
That's an accurate description the modus operandi of Tribunal Superior Eleitoral, who runs elections in Brazil (only country in the world to use "perfectly secure" DRE voting machines and reject voter verified paper audit trails).
3801 days ago
The basic truth about secure systems.
South Portland, ME
3801 days ago
High quality government single source contract at your service?
New York, NY
3801 days ago
at least they're not networked. At the price these devices cost I can see why they decide upgrading OS is more danger than known risks in old OS but still...
3802 days ago
San Antonio, TX
3802 days ago
Just... Wow. I thought some of the other systems I've dealt with were bad for using Windows server 2003.
Colorado Plateau
3800 days ago
The "lawful intercept" hardware in ISPs runs off Windows 2000 and Solaris.
3802 days ago
Turns out the TSA is equally good at both airport and IT security
Washington, DC

To Hell With Economists Who Willfully Disregard Basic Economics to Engage in Partisan Flackery

1 Share

To return to the CBO Obamacare report. It is really amazing that the admin spin (but I repeat myself) is that this is no big deal because hey, the job losses are a supply side effect, not a demand side effect. Amazing, and embarrassing to my profession, because some who have made this claim are economists who should-and I am sure do-know better.

The effect that the CBO points out is related to the fact that the phase-out of subsidies as income increases under Obamacare is effectively a tax on labor income. There is a very basic tenet in economics called Tax Incidence Analysis, which says that the effect of a tax out output (or in this case, input usage) doesn’t depend on whether the tax is imposed on the buyer or the seller. Impose it on the buyer (in this instance, employers), the demand curve shifts down: In Obamacare Spinworld, that’s BAD!. Impose it on the seller (in this instance, workers), the supply curve shifts up, crucially by the same amount as the demand curve would shift down if the tax is imposed on the buyer. End result: both routes lead to the same destination in terms of the amount of employment and the take-home pay of workers.

The tax-and remember, the subsidy phase out is equivalent to a tax-drives a wedge between the price that buyers (employers) pay and sellers (workers) receive. It is this wedge that distorts decisions. It is the size of the wedge that determines the size of the distortion, and the size of the wedge is the same whether a given tax is imposed on the buyer, the seller, or split between them in any arbitrary way.

Again, this is the most basic economics. So how come some economists are saying the CBO report is nothing to worry about because the effect it identifies is due to a shift in the supply curve, rather than the demand curve?

Put differently, the workers who are (according to Admin Spin) going to enjoy freedom from the drudgery of labor as a result of the subsidy phase-out would be the very same workers who would be out of work if an equivalent tax had been imposed on employers. But I guess those people in the latter scenario (again: the very same people) wouldn’t be enjoying freedom from the drudgery of labor, or something, so that would be bad. (This brings to mind the scorn that Keynesian economists heaped on New Classical and RBC economists who suggested that unemployment is voluntary. What’s good for the goose . . . ) I guess you’re free to enjoy leisure when you decide it isn’t worth working, but you are not free to enjoy leisure if someone decides not to hire you.

Like I say. Truly embarrassing to the profession that any economist would do anything but call bullshit on the spin. Instead we see economists picking up their shovels and adding more manure to the pile. joining in the political flackery.

I am not alone in this opinion. Indeed, I should defer to Casey Mulligan, because he has been the one who has been assiduously documenting the perverse supply side effects of myriad Obama policies. His painstaking work nudged the CBO to revising its earlier conclusions about employment declines, though he still thinks they underestimate the effect.And he is also embarrassed and disgusted by the performance of many of our peers:

Mr. Mulligan reserves particular scorn for the economists making this “eliminated from the drudgery of labor market” argument, which he views as a form oftrahison des clercs. “I don’t know what their intentions are,” he says, choosing his words carefully, “but it looks like they’re trying to leverage the lack of economic education in their audience by making these sorts of points.”

A job, Mr. Mulligan explains, “is a transaction between buyers and sellers. When a transaction doesn’t happen, it doesn’t happen. We know that it doesn’t matter on which side of the market you put the disincentives, the results are the same. . . . In this case you’re putting an implicit tax on work for households, and employers aren’t willing to compensate the households enough so they’ll still work.” Jobs can be destroyed by sellers (workers) as much as buyers (businesses).

When Mulligan says “we know it doesn’t matter on which side of the market you put the disincentives, the results are the same” he is summarizing the implications of tax incidence analysis. When he says “when a transaction doesn’t happen, it doesn’t happen” he means that the wedge between what employers pay and what workers receive causes some people not to be employed, and it doesn’t matter whether this is because an employer finds them too expensive to hire, or they find their take home too little to justify giving up leisure (or, enjoying “freedom” if you will).

Basic economics tells you that the Administration spin is wrong. Is it to much to ask that economists not only not spin along, but actually criticize it?

Read the whole story
3807 days ago
Houston, TX
Share this story